Filter
Top Products
Create A Secure Network With Allied Telesis Managed Layer 3 Switches 17
Identifying the user
Using DHCP snooping to track clients
If your DHCP server supports it, you can use “option 82” to record more information about
DHCP clients. This enhances your ability to track users. The switch can pass option 82
information to the DHCP server so that the server can record the switch MAC, switch port,
VLAN number and subscriber-ID that the client is a member of.
Example
To pass option 82 information to the server, including the information that port
1
is room
1
0
1
, use the following commands in addition to the configuration given in “Setting up DHCP
snooping” on page 16.
enable dhcpsnooping option82
set dhcpsnooping port=1 subscriberid="Room 101"
Using ARP security
When you enable ARP security, the switch drops ARP packets received on non-trusted
(client) ports unless the packets originate from an IP address that is registered in the DHCP
snooping database.
ARP security stops clients that are directly attached to the switch from using IP spoofing or
ARP poisoning. It also protects directly-attached clients from IP spoofing and ARP poisoning.
Example
To turn on ARP security, use the following command in addition to the configuration given in
“Setting up DHCP snooping”, above.
enable dhcpsnooping arpsecurity
Using 802.
1
x port authentication
With 802.
1
x port authentication, hosts must authenticate
themselves when they attempt to access a network through
an Ethernet port.
Unlike DHCP snooping, 802.
1
x only authenticates users
when they access the port. It cannot track them afterwards.
A network controller, such as a RADIUS server, controls the authentication. The Allied
Telesis switch facilitates the host to server communication and takes note of success or
failure. Essentially, the host is completely denied access to the Ethernet until the switch sees
the host successfully authenticate with the server. After that, the switch allows packets to
and from the host to pass through the 802.
1
x controlled port.
802.
1
x can also dynamically assign the host to a VLAN.
Examples
For examples of 802.
1
x authentication, see the following How To Notes:
z How to Configure A Secure School Network Based On 802.
1
x
z How To Use 802.
1
x VLAN Assignment
z How To Use 802.
1
x EAP-TLS or PEAP-MS-CHAP v2 with Microsoft Windows Server 2003 to
Make a Secure Network
z How To Use 802.
1
x Security with AT-WA7400 APs, AT-8624PoE Switches, and Linux’s
freeRADIUS and Xsupplicant
Most of the above Notes describe how to configure the authentication server and the host,
as well as the switch.
Products
All switches listed on page 2
Software Versions
2.6.1 and later